Guest WiFi setup with one main router and a couple of APs in bridge mode

nacholibrev · January 22, 2025, 9:03am

Hi,

I’m trying to create a Guest WiFi network on my existing infrastructure. I want to isolate it so that guest users doesn’t have access to the rest of the network (I would like to share specific devices/ip addresses to the guest network), but they will have internet.

Hardware and setup:
Main Router: CRS109-8G-1S-2HnD-IN - internet goes here, dhcp server is also here. It’s a standard Home AP config
APs: CRS109-8G-1S-2HnD-IN - the APs are connected to the main router and they are in bridge mode

Main router config:

/interface bridge
add admin-mac=xxxx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-Ce country=xxx disabled=no \
    distance=indoors frequency=2427 mode=ap-bridge ssid="XXXXX" station-roaming=enabled \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=\
    MikroTik wpa-pre-shared-key=xxxxx wpa2-pre-shared-key=xxxxx
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,r\
    omon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=wlan1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=sfp1 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface=ether1
/ip route
add disabled=yes distance=1 gateway=xxxxxx
add disabled=yes distance=1 dst-address=192.168.87.0/24 gateway=192.168.88.17

AP configuration:

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-Ce \
    country=xxx disabled=no installation=indoor mode=ap-bridge ssid=\
    XXXXX wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-eeeC \
    country=xxx disabled=no frequency=auto installation=indoor mode=\
    ap-bridge ssid=XXXXXX wireless-protocol=802.11 wps-mode=disabled
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=XXXX \
    wpa2-pre-shared-key=XXXX
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip dhcp-client
add disabled=no interface=bridge1
/system identity
set name=mt_ap_xxxx

I want to create the guest WiFi only on one of the APs, which is closer to the meeting room:

This is my planned configuration for the AP:

Create new security profile for guest network
Crate new virtual WiFi interface with the new security profile
I’m stuck here

So I have a couple of questions:

Should I create new bridge and new dhcp server on the main router or on the AP? I’m assuming these needs to be on the main route, since my current DHCP server is there
How to configure APs virtual WiFi interface to the main router newly created bridge/dhcp server? Should I use a VLAN approach?

I’ve searched for a similar topics but I couldn’t find one that solves my problem.

Some guidance will be much appreciated, thanks!

jaclaz · January 22, 2025, 9:48am

I would start from this post by pcunite (the same author of the main VLAN related tutorial on the forum: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 ):
http://forum.mikrotik.com/t/guest-vlan-with-router-ap-using-new-bridge-vlan-filtering-sample-config/124903/1

It seems like your setup is similar to that one, the difference is only that you have a second AP (on which you do not want the guest wi-fi, so it should not need to be VLAned).

anav · January 22, 2025, 12:15pm

Disagree, both APs should have both the management or trusted vlan being sent to them ( as that is where AP gets its IP address from).
Additionally all other data vlans ( trusted wifi, guest wifi, iot wifi) etc should be passed to the APs as well.

nacholibrev · January 22, 2025, 3:16pm

For anyone interested I’ve used this configuration on the AP https://www.youtube.com/watch?v=6P0MDlYWR_E

jaclaz · January 22, 2025, 5:34pm

Maybe or maybe not (mistakes and typos happen).
It would be better/easier if you post your current configuration of the AP.

nacholibrev · January 23, 2025, 7:14am

I’ve implemented the following configuration on my AP, but there is no internet on the guest network. DHCP works, I’m connecting, but no internet.

The AP has 2Ghz and 5Ghz SSIDs and the guest wifi is virtual of the 2Ghz

/interface bridge
add name=bridge-guest
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-Ce country=xx \
    disabled=no installation=indoor mode=ap-bridge ssid=xxx wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-eeeC country=xx \
    disabled=no frequency=auto installation=indoor mode=ap-bridge ssid=xxx \
    wireless-protocol=802.11 wps-mode=disabled
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=\
    MikroTik wpa-pre-shared-key=xxxx wpa2-pre-shared-key=xxxx
add authentication-types=wpa2-psk mode=dynamic-keys name=profile-guest supplicant-identity="" \
    wpa2-pre-shared-key=xxxx
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=4A:A9:8A:13:D5:26 master-interface=wlan1 \
    multicast-buffering=disabled name=guest-wifi security-profile=profile-guest ssid=\
    xxx-GUEST2 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=dhcp_pool0 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge-guest name=dhcp-guest
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
add bridge=bridge-guest interface=guest-wifi
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=10.10.10.1/24 interface=bridge-guest network=10.10.10.0
/ip dhcp-client
add disabled=no interface=bridge1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.10.10.1

What could possibly be the problem?

jaclaz · January 23, 2025, 9:34am

You seem to have the gateway set to “self” (10.10.10.1).
If the router has a dhcp server enabled (as it normally should) there might be additionally a conflict with the dhcp addresses.

Post the output of these commands (on the AP):

/ip address print

and:

/ip route print

nacholibrev · January 23, 2025, 9:49am

Here is the output:

[admin@xxx] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                          
 0   10.10.10.1/24      10.10.10.0      bridge-guest                                                       
 1 D 192.168.88.215/24  192.168.88.0    bridge1

[admin@xxx] > /ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.88.1              1
 1 ADC  10.10.10.0/24      10.10.10.1      bridge-guest              0
 2 ADC  192.168.88.0/24    192.168.88.215  bridge1                   0

jaclaz · January 23, 2025, 10:07am

Yep, how can the 10.10.10.x devices connect to the gateway at 192.168.88.1?
Do you want to route that connection?

nacholibrev · January 23, 2025, 11:02am

I guess to have internet I need to be able to connect to the gateway. Will that give me access to the rest of the network (192.168.88.0/24) as well? Because I don’t want that.

nacholibrev · January 23, 2025, 2:46pm

Okay, so what I did is I’ve created masquerade rule to translate traffic from 10.10.10.0/24 to 192.168.88.0/24 network like so:

/ip firewall nat add chain=srcnat action=masquerade out-interface=bridge1 src-address=10.10.10.0/24

and then I’ve created a firewall rule to isolate the networks like so:

/ip firewall filter add chain=forward action=drop src-address=10.10.10.0/24 dst-address=192.168.88.0/24

Now I have internet and I don’t have access to the 192.168.88.0/24 network from the guest wifi 10.10.10.0/24

Is my approach correct?

jaclaz · January 23, 2025, 3:27pm

IMHO, correct or incorrect is in the eye of the beholder.

Your AP now behaves as bridge for the “normal” wi-fi and as router for the “guest” wi-fi,
If you prefer you have double (or triple, depending on what is your connection to the ISP) NAT on the guest “wi-fi”.

This may well drive a lot of network experts up the wall in desperation.

But in practice the main downsides are probably only some little more CPU usage, a slightly increased latency and a reduced bandwidth, all things that you probably do not care about.

Usually a few firewall rules (besides the one you already added) are added to allow the guest clients to connect only through the AP and router, preventing access to them and to other guests devices, like:

/ip firewall address-list
add address=10.10.10.2-10.10.10.254 list="Guest WiFi"
/ip firewall filter
add action=drop chain=input dst-address=10.10.10.1 
add action=drop chain=forward dst-address=192.168.88.0/24 src-address-list="Guest WiFi"
add action=drop chain=forward out-interface-list=!WAN src-address=10.10.10.0/24

Your current firewall rule:

/ip firewall filter add chain=forward action=drop src-address=10.10.10.0/24 dst-address=192.168.88.0/24

unlike the one above with the address list should also prevent the AP (10.10.10.1) to access the router and its subnet (192.168.88.0/24), but it could be fine, again it depends on what you prefer.

Your current interface list member needs to be corrected, generally and for having the above last rule work, like:

/interface list member
add interface=bridge1 list=WAN
add interface=bridge-guest list=LAN

I don’t think that in such a setup the bridge-guest is actually strictly needed, i.e. I believe you could use directly the guest-wifi interface, but it has to be tested, to me a bridge with only one interface in it is counter-intuitive.